From 52a1db773e5e5d8bc0a803f537ef074c63a84b54 Mon Sep 17 00:00:00 2001
From: sinanmohd <sinan@sinanmohd.com>
Date: Sat, 27 Dec 2025 09:17:51 +0530
Subject: chore(os/kay/mail): init noreply

---
 os/kay/modules/services/mail/default.nix | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

(limited to 'os/kay/modules/services/mail/default.nix')

diff --git a/os/kay/modules/services/mail/default.nix b/os/kay/modules/services/mail/default.nix
index 01f44bb..7838801 100644
--- a/os/kay/modules/services/mail/default.nix
+++ b/os/kay/modules/services/mail/default.nix
@@ -22,11 +22,13 @@ in
   sops.secrets = {
     "mail.${domain}/dkim_rsa".sopsFile = ./secrets.yaml;
     "mail.${domain}/dkim_ed25519".sopsFile = ./secrets.yaml;
-    "mail.${domain}/password".sopsFile = ./secrets.yaml;
+    "mail.${domain}/password/admin".sopsFile = ./secrets.yaml;
+    "mail.${domain}/password/noreply".sopsFile = ./secrets.yaml;
   };
 
   systemd.services.stalwart-mail.serviceConfig.LoadCredential = [
-    "password:${config.sops.secrets."mail.${domain}/password".path}"
+    "password_admin:${config.sops.secrets."mail.${domain}/password/admin".path}"
+    "password_noreply:${config.sops.secrets."mail.${domain}/password/noreply".path}"
 
     "dkim_rsa:${config.sops.secrets."mail.${domain}/dkim_rsa".path}"
     "dkim_ed25519:${config.sops.secrets."mail.${domain}/dkim_ed25519".path}"
@@ -151,23 +153,37 @@ in
 
       directory."memory" = {
         type = "memory";
-
         principals = [
           {
             class = "admin";
             name = "${username}@${domain}";
-            secret = "%{file:${credentials_directory}/password}%";
+            secret = "%{file:${credentials_directory}/password_admin}%";
             inherit email;
           }
+          {
+            class = "individual";
+            name = "no-reply@${domain}";
+            secret = "%{file:${credentials_directory}/password_noreply}%";
+            email = [ "no-reply@${domain}" ];
+          }
           {
             # for mta-sts & dmarc reports
             class = "individual";
             name = "reports@${domain}";
-            secret = "%{file:${credentials_directory}/password}%";
+            secret = "%{file:${credentials_directory}/password_admin}%";
             email = [ "reports@${domain}" ];
           }
         ];
       };
+
+      sieve.trusted.scripts.noreply_reject_ingress.contents = ''
+        require ["envelope", "reject"];
+
+        if envelope :localpart :is "to" "no-reply" {
+            reject "550 This is a no-reply address";
+            stop;
+        }
+      '';
     };
   };
 }
-- 
cgit v1.2.3